from lib.cuckoo.common.abstracts import Signature


class TamperAppinit(Signature):
    name = "tamper_appinit"
    description = "Tamper with appinit configuration to load unknown dll."
    severity = 4
    categories = ["reg"]
    authors = ["xuhy"]
    minimum = "2.0"

    regkeys_re = [
        ".*\\\\(SOFTWARE|Software)\\\\(Wow6432Node\\\\|WOW6432Node\\\\)?Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\LoadAppInit_DLLs",
    ]

    def on_complete(self):
        for indicator in self.regkeys_re:
            for regkey in self.check_key(pattern=indicator, regex=True, all=True):
                self.mark_ioc("registry", regkey)

        return self.has_marks()
